Analysis

  • max time kernel
    149s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240220-en
  • resource tags

    arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
  • submitted
    26/03/2024, 11:14

General

  • Target

    df071cea2b017b1429caef1d49d93dfd.exe

  • Size

    13.7MB

  • MD5

    df071cea2b017b1429caef1d49d93dfd

  • SHA1

    8abc0827c2469a356ca8a561330c59db7657c832

  • SHA256

    9567c4b9f9804cac7979f1be0a96f746cf1c80d69b04542e1c05bf6be20b6736

  • SHA512

    84df3a72cfea74bc54ba76b26c97c36f012e17cb545e3c0b665bbc72f73c8e5d1a8230e80f820a0484c0d96469a69ec9de198890e2e772c322bf71559a1d7f5c

  • SSDEEP

    98304:ijhd88888888888888888888888888888888888888888888888888888888888k:i

Malware Config

Extracted

Family

tofsee

C2

176.111.174.19

lazystax.ru

Signatures

  • Tofsee

    Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

  • Windows security bypass 2 TTPs 1 IoCs
  • Creates new service(s) 1 TTPs
  • Modifies Windows Firewall 2 TTPs 1 IoCs
  • Sets service image path in registry 2 TTPs 1 IoCs
  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Launches sc.exe 3 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 30 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\df071cea2b017b1429caef1d49d93dfd.exe
    "C:\Users\Admin\AppData\Local\Temp\df071cea2b017b1429caef1d49d93dfd.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2792
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\iuqgfemf\
      2⤵
        PID:3016
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\vuemuahi.exe" C:\Windows\SysWOW64\iuqgfemf\
        2⤵
          PID:2676
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" create iuqgfemf binPath= "C:\Windows\SysWOW64\iuqgfemf\vuemuahi.exe /d\"C:\Users\Admin\AppData\Local\Temp\df071cea2b017b1429caef1d49d93dfd.exe\"" type= own start= auto DisplayName= "wifi support"
          2⤵
          • Launches sc.exe
          PID:2628
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" description iuqgfemf "wifi internet conection"
          2⤵
          • Launches sc.exe
          PID:2624
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" start iuqgfemf
          2⤵
          • Launches sc.exe
          PID:2436
        • C:\Windows\SysWOW64\netsh.exe
          "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
          2⤵
          • Modifies Windows Firewall
          PID:2564
      • C:\Windows\SysWOW64\iuqgfemf\vuemuahi.exe
        C:\Windows\SysWOW64\iuqgfemf\vuemuahi.exe /d"C:\Users\Admin\AppData\Local\Temp\df071cea2b017b1429caef1d49d93dfd.exe"
        1⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:2428
        • C:\Windows\SysWOW64\svchost.exe
          svchost.exe
          2⤵
          • Windows security bypass
          • Sets service image path in registry
          • Deletes itself
          PID:2924

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\vuemuahi.exe

        Filesize

        12.5MB

        MD5

        79cf8baf8d3873dd87d7681dbc15a4dc

        SHA1

        7947e89cfc29c25b4433f74d840d6a711bc9cff5

        SHA256

        23a396de79aaae96182a4d95cd3d00df4d39642a6ff8f062e35d306fed060116

        SHA512

        9584d4ffbdac9027d04f372399d035282699946bbd2df6fcbf7287d33ad0b9392c3162cfd48f4ff845df56b11de62f959f8f6bce71847fcd10d40aac7c3159a7

      • C:\Windows\SysWOW64\iuqgfemf\vuemuahi.exe

        Filesize

        1.0MB

        MD5

        4cff44cce4ee7ef3ba7cbb120b6418e1

        SHA1

        b78c21d61c6b64ac3bcf1ad77cac4ce1dd564182

        SHA256

        833efd62a13991b680f8fd0258864cb093f1d08dc9712ceaea861d3d805c59b9

        SHA512

        280db0b6c3679305c642b9918ec1996f47a670c1e1d8f14824c7dde21e2a9b8ab1f12e9c3c87a3330093bfd9821b3c104ff3669d074e26a32b13f1f0b2a412b6

      • memory/2428-11-0x0000000000400000-0x000000000045D000-memory.dmp

        Filesize

        372KB

      • memory/2428-10-0x00000000005E0000-0x00000000006E0000-memory.dmp

        Filesize

        1024KB

      • memory/2428-17-0x0000000000400000-0x000000000045D000-memory.dmp

        Filesize

        372KB

      • memory/2792-8-0x0000000000220000-0x0000000000233000-memory.dmp

        Filesize

        76KB

      • memory/2792-3-0x0000000000400000-0x000000000045D000-memory.dmp

        Filesize

        372KB

      • memory/2792-7-0x0000000000400000-0x000000000045D000-memory.dmp

        Filesize

        372KB

      • memory/2792-1-0x0000000000520000-0x0000000000620000-memory.dmp

        Filesize

        1024KB

      • memory/2792-2-0x0000000000220000-0x0000000000233000-memory.dmp

        Filesize

        76KB

      • memory/2924-15-0x0000000000080000-0x0000000000095000-memory.dmp

        Filesize

        84KB

      • memory/2924-19-0x0000000000080000-0x0000000000095000-memory.dmp

        Filesize

        84KB

      • memory/2924-13-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

        Filesize

        4KB

      • memory/2924-12-0x0000000000080000-0x0000000000095000-memory.dmp

        Filesize

        84KB

      • memory/2924-20-0x0000000000080000-0x0000000000095000-memory.dmp

        Filesize

        84KB

      • memory/2924-21-0x0000000000080000-0x0000000000095000-memory.dmp

        Filesize

        84KB

      • memory/2924-22-0x0000000000080000-0x0000000000095000-memory.dmp

        Filesize

        84KB